ANSI C Based OPC UA Client/Server SDK
Security Lesson 2: Authenticating Users by Username and Password

This lesson will show how to add user authentication to the server using the SDK’s InternalEx Authentication Module.

Alternatively you could use one of the other authentication modules or write and use a custom one.

Files used in this lesson:

Step 1: Configuring the Endpoint

For telling the server to use Username/Password authentication, we need to set the endpoint configuration accordingly. We use the endpoint configuration of the previous lesson and simply set another TokenType. As this is the only UserTokenPolicy, clients are forced to use this authentication type, otherwise they are not able to connect.

/* Set the endpoint configuration to use Username/Password logon */
pEndpoint->pUserTokenPolicy = OpcUa_Alloc(sizeof(OpcUa_UserTokenPolicy));
pEndpoint->uNoOfUserTokenPolicy = 1;
OpcUa_String_AttachReadOnly(&pEndpoint->pUserTokenPolicy[0].PolicyId, "UserName");
OpcUa_String_AttachReadOnly(&pEndpoint->pUserTokenPolicy[0].SecurityPolicyUri, OpcUa_SecurityPolicy_Basic256Sha256);

Furthermore, we need to tell the SDK which authentication module to use. This is done by calling the UaServer_SetUserAuthenticationTypeEx function, passing UserAuthType_Internal_Ex as authentication type.

UaServer_SetUserAuthenticationTypeEx(&uaServer, UserAuthType_Internal_Ex, OpcUa_Null);

Step 2: Configuring Users and their Passwords

The next step is to set up the user database to be used for verifying logons. The SDK’s InternalEx authentication module uses a passwd file for this, one example file is provided with the lesson. As authorization is also enabled by default, we will need the group file provided with the example, too. There are some predefined users in the files, the passwords are listed in InternalEx Authentication Module. Simply copy the files next to the generated server application and start up the server.

When starting the server from within Visual Studio, the working directory is set to the folder containing the project file by default. The server expects the group and passwd files in its working directory, so copy the files next to the project file instead.

Step 3: Connecting using a Client with Username and Password

To test our configuration, we connect to the server using UaExpert.

Discover the server as shown in the previous lesson. You will notice the difference in the available authentication settings. Now, the Anonymous option is greyed out and only the Username/Password option is available. Select it and enter

  • Username: root
  • Password: secret

as credentials.

Figure 2-1 Add server in UaExpert


You might get the same certificate warning messages as in the previous lesson, if so follow the same steps. When the certificates have been accepted on both sides, you will be able to connect to the server, authenticated by username and password.